I do think checking the csrf token is some kind of validation, at least for some of my apps there's parts of validating a form which check the authorization of the request and which I couldn't easily factor out. What I did was adding a "check_precondition" method to my forms and call this in a overwritten validate method. I do use custom contexts in these methods, though, which I could also register for views, so I still have most of the authorization details in one place. regards robert
On Mon, Oct 3, 2011 at 8:15 PM, Bobby <[email protected]> wrote: > I was thinking of editing the deform.form class and adding the request > as a keyword param. The request would then be used to create a token > attribute in the __init__ method with the rest of the attributes. Then > I would create a custom form template and add a hidden field with the > csrf token. > > That takes care of creating the token. Now to checking. > > I am thinking this is not a case of validation, but rather a case of > authorization. The options might be subscribing to a NewRequest event > as in this example: > http://stackoverflow.com/questions/6434550/how-do-you-add-csrf-validation-to-pyramid > > or possibly using a custom predicate in the view_config. > > Using an event listener might be overkill bc it will get called on GET > requests, however adding the custom predicate to every view_config > will get repetitive. > > So do you have any suggestions for an elegant way to handle this? > Thank you. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
